4.4 TLS-DSK Authentication Example for version 4 of the protocol

Office
  1. Alice's SIP protocol client sends a REGISTER request with no authorization header field to the SIP server.

     REGISTER sip:contoso.com SIP/2.0
     Via: SIP/2.0/TLS 192.0.2.1:4849
     From: <sip:alice@contoso.com>;tag=22fafb15b8;epid=2ebb6f264f
     To: <sip:alice@contoso.com>
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 1 REGISTER
     Contact: <sip:192.0.2.1:4849;transport=tls>;proxy=replace;+sip.instance="<urn:uuid:124841E4-264D-52E8-96C5-D22AA8CDC316>"
     UserAgent: UCCP/2.0.6362.0 OC/2.0.6362.0 (Microsoft Office Communicator)
     Supported: gruu-10
     Content-Length: 0
      
    
  2. Authentication is enabled at the server, which then challenges Alice's client. The server indicates support for TLS-DSK, Kerberos, and NTLM in the challenge and returns the realm and targetname values that it created during initialization, the version of the authentication protocol that it implements, and the Date header field.

     SIP/2.0 401 Unauthorized
     Date: Sun, 16 Dec 2007 05:11:19 GMT
     WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="server.contoso.com", version=4
     WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/server.contoso.com", version=4
     WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="server.contoso.com", version=4
     From: <sip:alice@contoso.com>;tag=22fafb15b8;epid=2ebb6f264f
     To: <sip:alice@contoso.com>;tag=9588410E2DA11CEE9D0AE7733E07830F
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 1 REGISTER
     Via: SIP/2.0/TLS 192.0.2.1:4849;ms-received-cid=900
     Content-Length: 0
    
  3. The client decides to use TLS-DSK and creates an SA with data from the authentication header field, specifically TLS-DSK, realm, targetname, and version. It uses the TLS protocol implementation to generate a client_hello handshake message, which the client then encodes as the gssapi-data parameter, using the base64 algorithm, and sends the following request to the server.

     REGISTER sip:contoso.com SIP/2.0
     Via: SIP/2.0/TLS 192.0.2.1:4849
     From: <sip:alice@contoso.com>;tag=604168c9c0;epid=2ebb6f264f
     To: <sip:alice@contoso.com>
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 2 REGISTER
     Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", targetname="server.contoso.com", gssapi-data="FgMBAJMBAACPAwFJ5nVu5crf6v0bJApguL4gJbjafFaRyH7qNr", version=4
     Contact: <sip:192.0.2.1:4849;transport=tls>;proxy=replace;+sip.instance="<urn:uuid:124841E4-264D-52E8-96C5-D22AA8CDC316>"
     User Agent: UCCP/2.0.6362.0 OC/2.0.6362.0 (Microsoft Office Communicator)
    Supported: gruu-10
    Content-Length: 0
    
  4. The server extracts the client endpoint identity as the address-of-record in the From header field ("alice@contoso.com") and either the value of the epid parameter in the From header field ("2ebb6f264f") or the value of the +sip.instance parameter in the Contact header field ("urn:uuid:124841E4264D52E896C5D22AA8CDC316"). It creates the SA for the TLS-DSK protocol, initializing it with the client endpoint identifier, version ("3"), generated opaque value ("72118CF0"), and calls into the TLS implementation to process a client_hello message. The TLS implementation creates the negotiation context and generates a response that encapsulates several TLS records containing a TLS server_hello handshake message, followed by a TLS certificate, such as server_key_exchange, and then certificate_request and server_hello_done handshake messages. The server encodes the TLS response as the gssapi-data parameter, using the base64 algorithm, and sends it back to the client in the following 401 Unauthorized response.

     SIP/2.0 401 Unauthorized
     WWW-Authenticate: TLS-DSK opaque="72118CF0", gssapi-data="FgMBCJasdasd", targetname="server.contoso.com", realm="SIP Communications Service", version=4
     From: <sip:alice@contoso.com>;tag=4a2b44d131;epid=8248ca9ebb
     To: <sip:alice@contoso.com>;tag=0858513FA91D3AAE1A5840DDB99599DF
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 2 REGISTER
     Via: SIP/2.0/TLS 192.0.2.1:4320;ms-received-cid=1C500
     Content-Length: 0
    
  5. The client locates the SA that it created for the first challenge message from the server, decodes the value of the gssapi-data parameter using the base64 algorithm, and passes it along with the security context information stored in the SA down to the TLS implementation. The client obtains or locates a previously obtained certificate, and calls the TLS implementation to generate an output token that carries TLS certificate, client_key_exchange, certificate_verify, change_cipher_spec, and finished handshake messages. The client then encodes the TLS token as the gssapi-data parameter, using the base64 algorithm, generates the authorization header field, and sends the following request to the server.

     REGISTER sip:contoso.com SIP/2.0
     Via: SIP/2.0/TLS 192.0.2.1:4320
     From: <sip:alice@contoso.com>;tag=4a2b44d131;epid=2ebb6f264f
     To: <sip:alice@contoso.com>
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 3 REGISTER
     Authorization: TLS-DSK opaque="72118CF0", qop="auth", realm="SIP Communications Service", targetname="server.contoso.com", gssapi-data="FgMBAzasdasd", version=4
     Contact: <sip:192.0.2.1:4849;transport=tls>;proxy=replace;+sip.instance="<urn:uuid:124841E4-264D-52E8-96C5-D22AA8CDC316>"
     UserAgent: UCCP/2.0.6362.0 OC/2.0.6362.0 (Microsoft Office Communicator)
     Supported: gruu-10
     Content-Length: 0
      
    
  6. The server extracts the client endpoint identity from the request and the opaque value from the authorization header field, finds the existing SA, decodes the value of the gssapi-data parameter using the base64 algorithm, and passes it, along with the security context information stored in the SA, down to the TLS implementation. The TLS implementation validates the information passed to it and generates a response that encapsulates one or more TLS records that contain TLS change_cipher_spec and finished handshake messages. At this point, the server notes that TLS negotiation resulted in selecting a ciphersuite with SHA-1 hash function. The server also computes, or derives, client and server authentication keys, as described in section 3.3.5.2. The server then encodes the TLS response as the gssapi-data parameter, using the base64 algorithm, and sends it back to the client in the following 401 Unauthorized response.

     SIP/2.0 401 Unauthorized
     WWW-Authenticate: TLS-DSK opaque="72118CF0", gssapi-data="FAMBAAEBFgasdasd", targetname="server.contoso.com", realm="SIP Communications Service", version=4
     From: <sip:alice@contoso.com>;tag=4a2b44d131;epid=8248ca9ebb
     To: <sip:alice@contoso.com>;tag=0858513FA91D3AAE1A5840DDB99599DF
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 3 REGISTER
     Via: SIP/2.0/TLS 192.0.2.1:4320;ms-received-cid=1C500
     Content-Length: 0
      
    
  7. The client locates the SA that it created for the first challenge message from the server and used in the second challenge, decodes the value of the gssapi-data parameter using the base64 algorithm, and passes it, along with the security context information stored in the SA, down to the TLS implementation for validation. Once server information is validated, the client notes that the TLS negotiation resulted in selecting a ciphersuite with SHA-1 hash function. The client also computes, or derives, client and server authentication keys as described in section 3.2.5.1. Because the server indicated support for version 4 of the protocol in the challenge, and the client also supports version 4, the client generates a crand parameter value, and performs the HMAC computation with the client authentication key and the following buffer, which is based on the content of the REGISTER request.

     <TLS-DSK><1d7d4ecf><1><SIP Communications Service><server.contoso.com><d5f2b95d5be64c2cbfb38aa5d3a87ae7><4><REGISTER><alice@contoso.com><4a2b44d131><alice@contoso.com><><><><>
      
    
  8. The client encodes the result of the HMAC computation call as the response parameter, using the base16 algorithm, replaces characters 'A' through 'F' in the output with their lowercase equivalents ('a' through 'f'), and sends the following request to the server (2).

     REGISTER sip:contoso.com SIP/2.0
     Via: SIP/2.0/TLS 192.0.2.1:4849
     From: <sip:alice@contoso.com>;tag=4a2b44d131;epid=8248ca9ebb
     To: <sip:alice@contoso.com>
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 4 REGISTER
     Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", targetname="server.contoso.com", version=4, crand="1d7d4ecf", cnum="1", response="4321abcdef"
     Contact: <sip:192.0.2.1:4849;transport=tls>;proxy=replace;+sip.instance="<urn:uuid:124841E4-264D-52E8-96C5-D22AA8CDC316>"
     UserAgent: UCCP/2.0.6362.0 OC/2.0.6362.0 (Microsoft Office Communicator)
     Supported: gruu-10
     Content-Length: 0
    
  9. The server extracts the client endpoint identity from the request and the opaque value from the authorization header field, finds the existing SA, decodes the value of the response parameter, using the base16 algorithm, and performs HMAC with the client authentication key and the buffer, which is the same as constructed by the client in step 7. The server then extracts the user identity from the authentication protocol context and validates that the user is authorized to use the "alice@contoso.com" address-of-record. The server can now continue processing the REGISTER request, as described in [RFC3261], and pass it to the SIP registrar component.

  10. After the registrar component completes processing, it sends back a 200 OK response to the client, which is processed by the authentication component on the server. The component locates the SA based on the reference it stored in the Via header field, or on some other mechanism, and it performs the HMAC computation using the server authentication key and the following buffer, constructed based on the following 200 OK response.

     <TLS-DSK><211639C4><SIP Communications Service><server.contoso.com><d5f2b95d5be64c2cbfb38aa5d3a87ae7><4><REGISTER><alice@contoso.com><4a2b44d131><alice@contoso.com><9588410E2DA11CEE9D0AE7733E07830F><><><7200>
    
  11. The server creates an authentication information header field with the result of the preceding HMAC computation, and sends the following response to the client.

     SIP/2.0 200 OK
     AuthenticationInfo: TLS-DSK rspauth="602306092", srand="211639C4", snum="1", opaque="A9A0BB9C", qop="auth", targetname="sip/server.contoso.com", realm="SIP Communications Service"
     From: <sip:alice@contoso.com>;tag=4a2b44d131;epid=8248ca9ebb
     To: <sip:alice@contoso.com>;tag=9588410E2DA11CEE9D0AE7733E07830F
     Call-ID: d5f2b95d5be64c2cbfb38aa5d3a87ae7
     CSeq: 4 REGISTER
     Via: SIP/2.0/TLS 192.0.2.1:4849;ms-received-cid=900
     Contact: <sip:192.0.2.1:4849;transport=tls;msreceivedcid=900>;expires=7200;+sip.instance="<urn:uuid:124841E4264D52E896C5D22AA8CDC316>";gruu="sip:alice@contoso.com;opaque=user:epid:5EFIEk0m6FKWxdIqqM3DFgAA;gruu"
     Expires: 7200
     Content-Length: 0
    
  12. The client receives the message, locates the SA, and uses it to compute the HMAC over the server (2) authentication (2) key and buffer created based on the message data. The buffer that it creates for signature verification is identical to the buffer created by the server (2) when it generated the signature.

Show: